8b52cab5ef
This adds API tokens as a new credential type. Their format is: `oh.<name>.<random chars>` The "oh." prefix is used to tell them apart from a JWT access token, because they're both used as a Bearer authorization scheme, but there is no semantic value attached to any of the other parts. They are stored hashed in the user's profile, and can be listed, added or removed managed with the new `openhab:users` console command. Currently the scopes are still not checked, but ultimately they could be, for instance a scope of e.g. `user admin.items` would mean that the API token can be used to perform user operations like retrieving info or sending a command, _and_ managing the items, but nothing else - even if the user has more permissions because of their role (which will of course still be checked). Tokens are normally passed in the Authorization header with the Bearer scheme, or the X-OPENHAB-TOKEN header, like access tokens. As a special exception, API tokens can also be used with the Basic authorization scheme, **even if the allowBasicAuth** option is not enabled in the "API Security" service, because there's no additional security risk in allowing that. In that case, the token should be passed as the username and the password MUST be empty. In short, this means that all these curl commands will work: - `curl -H 'Authorization: Bearer <token>' http://localhost:8080/rest/inbox` - `curl -H 'X-OPENHAB-TOKEN: <token>' http://localhost:8080/rest/inbox` - `curl -u '<token>[:]' http://localhost:8080/rest/inbox` - `curl http://<token>@localhost:8080/rest/inbox` 2 REST API operations were adding to the AuthResource, to allow authenticated users to list their tokens or remove (revoke) one. Self-service for creating a token or changing the password is more sensitive so these should be handled with a servlet and pages devoid of any JavaScript instead of REST API calls, therefore for now they'll have to be done with the console. This also fixes regressions introduced with #1713 - the operations annotated with @RolesAllowed({ Role.USER }) only were not authorized for administrators anymore. * Generate a unique salt for each token Reusing the password salt is bad practice, and changing the password changes the salt as well which makes all tokens invalid. Put the salt in the same field as the hash (concatenated with a separator) to avoid modifying the JSON DB schema. * Fix API token authentication, make scope available to security context The X-OPENHAB-TOKEN header now has priority over the Authorization header to credentials, if both are set. * Add self-service pages to change password & create new API token Signed-off-by: Yannick Schaus <github@schaus.net> |
||
|---|---|---|
| bom | ||
| bundles | ||
| features | ||
| itests | ||
| licenses/epl-2.0 | ||
| tools | ||
| .gitignore | ||
| .travis.yml | ||
| CONTRIBUTING.md | ||
| LICENSE | ||
| NOTICE | ||
| pom.xml | ||
| README.md | ||
openHAB Core
This project contains core bundles of the openHAB runtime.
Building and running the project is fairly easy if you follow the steps detailed below.
Please note that openHAB Core is not a product itself, but a framework to build solutions on top. It is picked up by the main openHAB distribution.
This means that what you build is primarily an artifact repository of OSGi bundles that can be used within smart home products.
1. Prerequisites
The build infrastructure is based on Maven. If you know Maven already then there won't be any surprises for you. If you have not worked with Maven yet, just follow the instructions and everything will miraculously work ;-)
What you need before you start:
- Java SE Development Kit 11
- Maven 3 from https://maven.apache.org/download.html
Make sure that the mvn command is available on your path
2. Checkout
Checkout the source code from GitHub, e.g. by running:
git clone https://github.com/openhab/openhab-core.git
3. Building with Maven
To build this project from the sources, Maven takes care of everything:
- set
MAVEN_OPTSto-Xms512m -Xmx1024m - change into the openhab-core directory (
cd openhab-core) - run
mvn clean installto compile and package all sources
If there are tests that are failing occasionally on your local build, run mvn -DskipTests=true clean install instead to skip them.
How to contribute
If you want to become a contributor to the project, please read about contributing and check our guidelines first.